Detail of a calendar page with dates

A week in security (Aug 14 – Aug 20)

Last week, we published two blog posts about the Shakti Trojan: first, an overview of what it is (an information stealer designed for corporate espionage), its background, and what it can do; and second, a complete technical analysis of its sample. We also disclosed a new 419 scam that uses names of U.S. solders to lure in targets, an uncommon behaviour spotted from two major malware distribution campaigns, and an SMS scam that targets worried parents.

Director of Mac Offerings Thomas Reed revealed how PCVARK, a major developer of Mac PUPs, played dirty: the company included a product called Mac File Opener with its Advanced Mac Cleaner installer. The said file opener software is fake and inevitably leads users to a scam page, claiming that their Mac is infected with malware.

For our final PUP Friday post for August, Reed tackled MacKeeper once more after he profiled it back in 2014. This time, he shared a number of tales of purported Mac system infections and outdated software that needs updating.

Notable news stories and security related happenings:

  • Security Consultants Demonstrate That It’s Easy To Hack Voting Machines. “Before we go into complete panic mode, it’s important to note that 75 percent of America’s votes are still cast on good old-fashioned paper, which is notoriously difficult to hack, and many of the electronic voting machines that are in place still print a paper ballot after the vote is cast, leaving a paper trail to follow in the event of electoral fraud. But five states – Georgia, Delaware, Louisiana, South Carolina, and New Jersey – now use electronic voting machines which leave no auditable paper trail, and those machines function based on something called a “voter access card” that voters receive before entering the polls.” (Source: The Inqusitr)
  • Pokemon Go Security Flaw Enables Hacker To Take Over Gyms In London And New York Using Eggs. “Hacking a gym in Pokémon Go literally has no monetary benefit and only serves as a way to irritate and frustrate other players in the game. There is also no means of getting rid of the hacker unless Niantic Labs patches the vulnerability and bans the user from the game completely, although the hacker could easily register a new account using another Google account.” (Source: The International Business Times)
  • Australian Authorities Hacked Computers In The US. “Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned. The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents. The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies’ reach.” (Source: Motherboard)
  • LinkedIn Sues Anonymous Data Scrapers. “The professional networking company filed suit against 100 unnamed individuals last week for using bots to harvest user profiles from its website. The lawsuit is a preliminary step to revealing the identities of the scrapers — LinkedIn intends to ask the court to reveal the true identities behind the scrapers’ IP addresses — and a way to maintain its exclusive hold on users’ resumes.” (Source: TechCrunch)
  • As India Gears Up for Cybersecurity Challenges, Threats Are Multiplying. “In recent times, India has launched a series of cybersecurity initiatives to digitally empower its citizens and safeguard cyberspace. As the Digital India initiative progresses, cyberattacks have doubled year over year, and Indian businesses and government sites have become more vulnerable. In the wake of increasing cyberthreats, India appointed its first chief information security officer (CISO). The appointment underlines India’s commitment to combating cyberattacks. It will help India develop the vision and policy to fight cybercrime and manage cybersecurity more effectively.” (Source: Security Intelligence)
  • Microsoft Rolls Out A New Authenticator App For Android And iOS, Makes 2FA Simpler. “Leave it to Microsoft to make something as simple as a two-factor authentication (2FA) app as complicated as possible. Thankfully, Microsoft is cleaning up its hodge-podge of authenticator apps that include Azure Authenticator and Microsoft Account on Android with a single, unified version called Microsoft Authenticator. The app is now available on Android and iOS, and at some point should be landing on Windows 10 Mobile—as soon as it exits the internal beta, that is.” (Source: PC World)
  • Pokémon Go Exploitation Saga Continues; Beware Of New Ransomware. “Therefore, not surprisingly, hackers are churning out one malware after another claiming to be apps that install Pokémon Go on your phones. This report informs you about the latest of such attempts from scammers that make use of the popular game. In this new campaign, hackers are distributing a Pokémon Go themed ransomware that is capable of encrypting all the data on the phone, data exfiltration and also creating backdoor Window accounts.” (Source: HackRead)
  • 20 Hotels Suffer Hack Costing Tens Of Thousands Their Credit Card Information. “The chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels—HEI Hotels & Resorts—said this weekend that the payment systems for 20 of its locations had been infected with malware that may have been able to steal tens of thousands of credit card numbers and corresponding customer names, expiration dates, and verification codes. HEI claims that it did not lose control of any customer PINs, as they are not collected by the company’s systems.” (Source: Ars Technica)
  • Where Does Text Message Spam Come From? NUVOs. “Text messages sent through NUVOs start out inside the apps, but then go through the usual big-name mobile network operators, who have processes in place to spot problems. However, since the NUVOs lease services from multiple providers, and the messages come from virtual accounts and not actual mobile phone numbers, it’s harder for the mobile phone companies to stop the spammers. In addition, NUVOs offer application interfaces that can make some forms of abuse more accessible, said Landesman.” (Source: CSO)
  • ESET Report Says Millennials Are Cyber Savvy – And Also Cyber Careless. “The report, ‘ESET Australia and New Zealand cyber-savviness report 2016 part 2: The differences in cybersecurity practices across generations’, found that 46% of millennials use the same password for all accounts on personal devices – compared to only 18% of baby boomers. 71% of millennials stay logged into their social media accounts all the time on their devices, compared to only 35% of baby boomers. And on top of that, 40% of millennials will accept any social media request, compared to only 17% of baby boomers.” (Source: Net Guide)
  • Attackers Can Hijack Unencrypted Web Traffic Of 80% Of Android Users. “The recently revealed security bug (CVE-2016-5696) in the TCP implementation in the Linux kernel that could allow attackers to hijack unencrypted web traffic without an MitM position also affects some 1.4 billion Android devices, Lookout researchers have warned. […] This fact should not be surprising, as the Android mobile OS is based on the Linux kernel.” (Source: Help Net Security)
  • Healthcare’s Latest Cyber Threat: Source Code For Sale On The Dark Web. “One of the repeating themes at this year’s annual Black Hat cybersecurity conference was the idea that cyber threats in general are now moving rapidly beyond the “prototype” phase into full-scale production. One way that becomes apparent is by looking for datasets that are for sale on what’s known as the ‘dark web’ using tools that are specifically designed to buy (or sell) anything with industrial-strength anonymity. Most of us have no need or use for this murky portion of the web because it’s rife with criminals selling drugs, illegal porn–and now software source code that has a significant footprint inside healthcare.” (Source: Forbes)
  • A Hacker Only Needs 25 Minutes To Break Into Your Organization’s Computer Systems, Report Finds. “Let’s say there’s a hacker who wants to worm his or her way into your organization’s computer systems. How long, on average, would it take for the hacker to compromise your email server? According to a report released on Tuesday by the cloud-based cybersecurity firm Duo Security, the answer is about 25 minutes.” (Source: The Daily Dot)
  • People Like Using Passwords Way More Than Biometrics. “A new survey shows that we’ll give up our passwords only when they’re pried from our cold, dead hands. That’s more or less the conclusion of a new study conducted by Yougov on behalf of email portal In a recent survey of 1,119 US people, the preferred method, by far, to log on to online services was the password, chosen by over half – 58% – of respondents. Biometrics weren’t even close.” (Source: Sophos’ Naked Security Blog)
  • Scammer AI Can Tailor Clickbait To You For Phishing Attacks. “The team tested the system on 90 people and managed to trick more than two-thirds of them into clicking the link. The team thinks that the approach could reach far more people with a greater success rate than hand-crafted approaches. They also say the system would work on other social media sites, including Facebook. The work was presented at the Black Hat conference in Las Vegas last week. But it’s not just about getting someone to click on a link. A recent study by a team at Columbia University suggested that 60 per cent of people don’t click on or read the links they retweet. Tully says that’s a boon for the technique his team is warning about.” (Source: New Scientist)
  • Marcher Steps Up Game: Malware Poses As Security Update, Imitates Popular Apps. “In a blog post, cybersecurity firm Zscaler reported finding a malicious HTML page that claims the reader’s device is vulnerable to viruses, urging the user to install a firmware update. ‘Some of your photos, chat messages and account passwords may have become visible to others on the Internet,’ the message warns ominously. Unfortunately, this so-called update is merely the malicious Marcher payload, which upon installation will request administrator access. Once granted admin privileges, the malware can serve its true purpose, impersonating and overlaying legitimate mobile apps with mobile phishing pages that trick users to giving away their credentials and credit card data.” (Source: SC Magazine)
  • Malware Infected All Eddie Bauer Stores In U.S., Canada. “Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after KrebsOnSecurity first notified the clothier about a possible intrusion at stores nationwide.” (Source: KrebsOnSecurity)
  • Browser Address Bar Spoofing Vulnerability Disclosed. “Chrome, Firefox and likely other major browsers are afflicted by a vulnerability that allows attackers to spoof URLs in the address bar. While Mozilla said it has patched the flaw in the affected Android version of the Firefox browser, Google said Chrome will be fixed in an upcoming September release.” (Source: Kaspersky’s Threatpost)
  • Twitter’s Anti-Abuse Filter Is Finally Available to All. “While Twitter’s new quality filter could improve our experience on the platform, chances are it won’t end abuse and trolling altogether. Because while it will limit threats and hate speech, the fact remains that Twitter has never dealt with direct complaints of abuse very well, and has yet to prove that it will rise up to the challenge when the quality filter falls short. Since online culture has yet to change, that day, or second, is inevitable.” (Source: Motherboard)
  • Beware: Hackers Targeting Pokemon Go Users With Smishing Scam. “The latest campaign to be identified by researchers is the malicious, backdoored app that is available on a file repository service. In this new campaign, attackers have attempted to lure Pokemon Go players by forcing them to view SMS spam messages so that they visit infected websites.” (Source: Hackread)
  • Dating Sites Hit By Luring Attacks From TOR. “Luring attacks are mounted by a competing dating site to lure users from the victim site to the attacker site. Most luring attacks target multiple dating services and send spam messages to a large number of users, inviting them to different dating sites, probably all controlled by the same hacker. According to Imperva, the motivation for the attacker is clear—to divert customers away from the competitor’s site and lure them to the attacker’s site.” (Source: Infosecurity Magazine)

Safe surfing, everyone!

The Malwarebytes Labs Team